Sparkle updater vulnerability: What you need to know!
A vulnerability has been discovered in an open-source framework that many developers have been using to provide app update services for the Mac. That it exists at all is not good, but that it hasn't been used to perform any real world attacks "in the wild", and that developers can update to prevent it, means it's something you should know about but nothing you should go into red alert over, at least not yet.
What's Sparkle?
Sparkle is an open source project that many OS X apps turn to provide update functionality. Here's the official description:
So, what's happening with Sparkle?
Starting in late January, an engineer who goes by the name "Radek" started discovering vulnerabilities in the way some developers had implemented Sparkle. According to Radek:
In other words, some developers weren't using HTTPS to encrypt the updates being sent to their apps. That left the connection vulnerable to interception by an attacker who could slip in malware.
Lack of HTTPS also exposes people to the possibility of an attacker intercepting and manipulating web traffic. The usual risk is that sensitive information could be obtained. Because Sparkle's purpose is to update apps, the risk that the person-in-the-middle attack carries here is that an attacker could push malicious code as an update to a vulnerable app.
Does this affect Mac App Store apps?
No. Mac App Store (MAS) uses its own update functionality. Some apps, however, have versions on and off the App Store. So, while the MAS version is safe, the non-MAS version may not be.
Radek made sure to point out:
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Which apps are affected?
A list of apps that use Sparkle is available on GitHub, and while a "huge" number of Sparkle apps are vulnerable, some of them are secure.
What can I do?
People who have a vulnerable app that uses Sparkle may want to disable automatic updates in the app, and wait for an update with a fix to be available, then install directly from the developer's website.
Ars Technica, which has been following the story, also advises:
Ugh. Bottom-line me!
There's a risk that this vulnerability could be used to get malicious code onto your Mac, and that would be bad. But the probability of it happening to most people is low.
Now that it's public, developers using Sparkle should be sprinting to make sure they aren't affected, and if they are, to get updates into customers hands immediately.
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.